1. PDQ Deploy & Inventory Help Center
  2. Documentation
  3. PDQ Inventory
  4. How-to Guides

Role-Based Access Control (RBAC) in PDQ Deploy & Inventory

Starting with version 20.0.5.0, PDQ Deploy & Inventory now includes Role-Based Access Control (RBAC). This allows administrators to control what users can do within the console by assigning permissions through roles.

Requirements

  • PDQ Deploy & Inventory version 20.0.5.0 or later
  • RBAC enabled in PDQ Inventory
  • Administrative access to the Inventory console
  • RBAC scope: RBAC is configured and managed through PDQ Inventory and applies to both PDQ Inventory and PDQ Deploy.
  • Initial setup: When enabling or configuring RBAC for the first time, you must sign into the PDQ Inventory console as the background service user.
  • Run As requirement: If needed, launch the console using Run As and specify the background service account. Enabling RBAC as a different user may result in being locked out with no permissions.

How RBAC Is Managed

All RBAC configuration is performed in PDQ Inventory. This includes roles and permissions that apply to both Inventory and Deploy.

In PDQ Deploy, RBAC is limited to:

  • Viewing the current console user’s effective permissions
  • Enabling or disabling RBAC

The following sections describe how roles and permissions behave once RBAC is enabled.

Console Users and Default Roles

  • The background service user is automatically assigned the Super User role
  • The Super User role has unrestricted access
  • Any new console users default to the Default role

The Default role:

  • Cannot be edited
  • Has no permissions assigned

Users assigned only to the Default role will not be able to perform any actions in the console.

Creating a Help Desk Role

In this example, a limited Help Desk role is created for a level-one technician.

  1. Open PDQ Inventory
  2. Navigate to RBAC or Roles
  3. Click New Role
  4. Name the role Help Desk
  5. Assign only permissions required to run deployments
  6. Save the role

At this stage, the Help Desk role:

  • Can run deployments
  • Cannot modify packages
  • Cannot edit collections

Assigning the Role to a User

  1. Navigate to User Management
  2. Select the console user
  3. Assign the Help Desk role
  4. Save changes

Role changes apply immediately. The user does not need to log out and back in.

Validating Permissions in Real Time

When logged in as the Help Desk user:

  • Inventory data is visible (read access)
  • Collections cannot be modified
  • Packages cannot be edited or deleted
  • Deployments can be executed

If permissions are updated on the role, access changes immediately without restarting the console.

Expanding the Role

If additional permissions are required:

  1. Edit the existing role
  2. Add permissions such as modifying packages or collections
  3. Save the role

The user will instantly gain the new permissions.

Audit Log and RBAC

RBAC works in conjunction with the Audit Log:

  • Users can view audit events they generated
  • Super Users can view audit logs for all users
  • System-generated actions (scheduled scans, schedules) are not logged

This allows administrators to both restrict actions and verify that controls are working as intended.

Best Practices

  • Enable RBAC while logged in as the background service user
  • Start with restrictive roles and expand permissions as needed
  • Validate permissions by switching users during setup

Wrapping Up

RBAC provides fine-grained, real-time control over user access in PDQ Deploy & Inventory. By defining roles in PDQ Inventory and assigning them appropriately, administrators can safely delegate responsibilities without overexposing critical functionality.

See Also

Wayne Osteen
Updated
Was this article helpful?

Related articles